On 09/17/2014 05:35 AM, Michael Paquier wrote:
> On Thu, Sep 11, 2014 at 10:25 PM, Craig Ringer <craig@2ndquadrant.com> wrote:
>> The PostgreSQL installer now uses the NETWORKSERVICE account on Windows
>> by default (as of 9.2), instead of creating a "postgres" account with
>> username and password. Which is a big improvement to usability.
> Using NETWORKSERVICE is not cool as it is created by the system and
> may be shared by some other processes. I am not sure about the
> security implications but this sounds weird and should be avoided if
> possible.
(Resurrecting this discussion as I missed your reply)
Using NETWORK SERVICE is not ideal. Unfortunately, prior to Windows 7
the platform doesn't have a sane way to create service accounts. Users
are expected to create a service account with a password, know what that
password is, and be able to supply that password again when later
required by other installers.
The alternative, which I advocated in the past, is to generate a random
password to use as the service account password, and store that service
account password in the Registry using key only readable by the
Administrators group and SYSTEM user. So our installer(s) could read the
service account password when required and the user doesn't have to deal
with the WTFery of having a system "postgres" password that's different
to the postgres user account password. This is more secure than using
NETWORK SERVICE, not less, but I wasn't able to convince anyone that we
should do it.
Using NETWORK SERVICE is less bad than what we had before - and users
can still create a service account if they want, the default just
changed to one that won't cause endless install problems and confusion.
At this point I think we can just not care for older Windows versions
and focus on doing it right on Windows 7 and above, which has sensible
passwordless service accounts.
>> It may be worth adopting this when the installer detects a Windows 7 /
>> Win2k8 R2 or newer system - just create an account like:
>>
>> NT Service\PostgreSQL$EDB-9.4-x86
> By looking here:
> http://msdn.microsoft.com/en-us/library/windows/desktop/bb545671%28v=vs.85%29.aspx
> You'd need to be sure as well that there are necessary privileges in
> ALL SERVICES: at least SeServiceLogonRight and optionally
> SeNetworkLogonRight for network stuff. I guess that it is as well
> necessary to be careful about the platform version and to have a
> fallback mechanism to NETWORKSERVICE if platform version is rather
> old (older than 6.1 for Win2k8 R2 and Win7?!) or if necessary
> privileges are not present but well you are aware of that already :)
--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services